News Now

CU System

Hannaford says its hacked system was compliant

PORTLAND, Maine (3/20/08)--A grocery retail chain that announced a major data breach earlier this week says its computer systems were compliant with the Payment Card Industry (PCI) data-security standard for encryption. The breach occurred in the system of Hannaford Bros. Co., based in Portland, and resulted in the theft of up to 4.2 million customer debit and credit card numbers from more than 200 stores in New England, New York State, and Florida. The data was accessed illegally from the company's computer systems during the card verification transmission process in transaction, said Hannaford President/CEO Ronald C. Hodge, in announcing the breach on the company's website (News Now 3/18/08). In an interview with Digital Transactions News (March 18), Hannaford Vice President of Marketing Carol Eleazer told the publication that Hannaford was certified as PCI-compliant last spring and it was recertified in February. PCI standards require encryption of data that are in transit. Older payment-processing technology can leave wireless data exposed to interception for a fraction of a second during authorizations. Eleazer said Hannaford used data encryption all of last year and had upgraded its wireless encryption in 2007. She would not comment about whether insiders or vendors may be involved in the theft.